Upgrade to Pro — share decks privately, control downloads, hide ads and more …

MDM: From Nice to Have to Necessity

Jamf
November 13, 2019
130

MDM: From Nice to Have to Necessity

Jamf

November 13, 2019
Tweet

Transcript

  1. Rich Trouton • 20 years of Mac system support experience

    • Generally can be found drinking a Diet Coke • Has been known to write things down • @rtrouton on Twitter and Slack
  2. • API for sending device management commands • For iOS,

    usable on iOS 4.x and later. • For macOS, usable on 10.7.x and later. • For tvOS, usable on tvOS 10.x and later. • Not all MDM commands are backwards-compatible
  3. Which things are only possible when using MDM? • DEP-enabled

    setup • Remote wipe • App distribution using VPP • UAMDM-based management
  4. How does MDM management work? • Apple's push notification services

    (APNS) • Mobile device management (MDM) server
  5. 1

  6. • APNS never needs an inbound network connection on your

    network. • Only outbound connections from your network to Apple’s network (17.0.0.0 / 8) are needed for APNS. • APNS never makes unsolicited connections. • APNS uses TLS 1.2 • APNS authenticates all transactions with device tokens and payload tokens, and validates all SSL certificates.
  7. What’s an MDM server? 1. HTTPS server 2. Needs to

    be able to respond with both of the following: • HTTP 200 OK • A plist in XML format which contains a command.
  8. MDM Server Certificates • APNS Vendor Certificate • Used to

    sign APNS push certificate’s certificate requests (CSRs)
  9. APNS Apple ID Do’s and Don’ts Do: •Have an Apple

    ID dedicated just to creating your APNS certificate. •Have multiple Apple IDs for your APNS certificates if you have more than one MDM server . •Have the Apple ID(s) documented.
  10. APNS Apple ID Do’s and Don’ts Don’t: •Use a personal

    Apple ID. •Use an Apple ID tied to your specific work email address. •Lose the password to your Apple ID(s).
  11. 1

  12. MDM

  13. MDM

  14. MDM

  15. MDM

  16. OS X Mavericks Kernel extensions should be digitally signed using

    an Apple Developer ID for Signing Kexts certificate, but this code signing requirement is not enforced strictly. Unsigned kernel extensions can still be installed into /System/Library/ Extensions, which is where kernel extensions have been installed up until OS X Mavericks. However, signed kernel extensions must be installed into /Library/Extensions. OS X Yosemite Kernel extensions must be digitally signed using an Apple Developer ID for Signing Kexts certificate and installed into /Library/Extensions. However, it is still possible on OS X Yosemite to enable a kernel extension developer mode which disables the code signing requirement.
  17. OS X El Capitan Kernel extensions must be digitally signed

    using an Apple Developer ID for Signing Kexts certificate and installed into /Library/Extensions. System Integrity Protection, introduced as part of OS X El Capitan, now enforces code signing and explicitly disables the kernel extension developer mode previously available in OS X Yosemite. macOS Sierra Kernel extensions must be digitally signed using an Apple Developer ID for Signing Kexts certificate and installed into /Library/Extensions. System Integrity Protection remains the enforcement mechanism.
  18. macOS High Sierra 10.13.0 - 10.13.3 + MDM Kernel extensions

    must be digitally signed using an Apple Developer ID for Signing Kexts certificate and installed into /Library/Extensions. System Integrity Protection remains the enforcement mechanism.
  19. Managed Clients for Mac OS X Managed User Control None,

    Never Unmanaged or never set User has full control of setting Once Preset with value from MCX User has full control of setting Often Reset with value from MCX at each login User has full control of setting, resets back to MCX-enforced setting at logout Always Forced from MCX User cannot control setting
  20. Mobile Device Management Managed User Control None, Never Unmanaged or

    never set User has full control of setting Once Preset with value from MCX User has full control of setting Often Reset with value from MCX at each login User has full control of setting, resets back to MCX-enforced setting at logout Always Forced from MCX User cannot control setting
  21. MDM ≠ Total Management Profile Can Do: Profile Cannot Do:

    SSH Nothing Turn SSH on and off Manage SSH configuration Sudo Nothing Manage access to the sudo tool Firewall Turn firewall on and off Enable stealth mode Block incoming connections Allow or block applications from connecting Set IP- or DNS-based firewall rules Application Access Whitelist application by code signature Blacklist application by code signature Directory Service Bind to Active Directory Bind to LDAP* *Can bind to Apple's Open Directory
  22. Script Can Do: SSH Turn SSH on and off Manage

    SSH configuration Sudo Manage access to the sudo tool Firewall Turn firewall on and off Enable stealth mode Block incoming connections Allow or block applications from connecting Set IP- or DNS-based firewall rules Directory Service Bind to Active Directory Bind to LDAP
  23. ?

  24. vs 1. See if you can use a profile. 2.

    If not, use a script. 3. Check back later to see if you can use a profile.
  25. Apple Mobile Device Management: https:// developer.apple.com/documentation/devicemanagement Apple Device Management documentation:

    https:// developer.apple.com/documentation/devicemanagement A Push Odyssey - Journey to the Center of APNS: https:// www.youtube.com/watch?v=Z-Lg9uBbmfk Getting MicroMDM working and working with MicroMDM: https://youtube.com/watch?v=WGKT-PyHz6I Useful Links Demystifying MDM: open source endeavours to manage Macs: https://youtube.com/watch?v=6DBGIDcBKFw
  26. Apple Mobile Device Management Profile-Specific Payload Keys: https://developer.apple.com/documentation/ devicemanagement/profile-specific_payload_keys Santa:

    https://github.com/google/santa Gatekeeper automatically re-enables after 30 days on Yosemite and later: https://derflounder.wordpress.com/ 2015/07/31/gatekeeper-automatically-re-enables-after-30- days-on-yosemite-and-later/ Useful Links
  27. Downloads PDF available from the following link: https://tinyurl.com/JNUC2019PDF Keynote slides

    available from the following link: https://tinyurl.com/JNUC2019Keynote
  28. © JAMF Software, LLC Thank you for Give us feedback

    by completing the 2- question session UP NEXT Offboarding in a Modern Workflow 4:00 PM